[Freeipa-devel] Summary of Session discussion
Stephen Gallagher
sgallagh at redhat.com
Thu May 26 18:59:16 UTC 2011
On Thu, 2011-05-26 at 14:43 -0400, Simo Sorce wrote:
> On Thu, 2011-05-26 at 14:19 -0400, Dmitri Pal wrote:
> > Cookie can be stored on the home directory of the user and user home
> > directory can be NFS mounted so if we save anything important in the
> > cookie the NFS root would be able to impersonate the user. It assumes
> > that TGTs are not stored on the NFS in this case so replacing the TGT
> > auth with fast session cookie auth would be a security issue.
> > I hope I understand the issue correctly.
>
> We can store the the cookie in the ccache, so that we have it in the
> same place the TGT is. We shouldn't save it in the home, as it is
> insecure indeed.
I'd like to point out that this is a strong argument for adding the
SSSD/LDB Kerberos credential cache. It's unsafe to store the user's
credential cache in their home directory (because it may be an NFS mount
and therefore vulnerable to root on another machine).
However, the other common location for a credential cache is in /tmp,
which becomes an issue for systems running with pam_namespace or
sandboxing (where different processes have different views of the
contents of /tmp).
To avoid both of these situations, it might be best for us to store the
credential cache in SSSD.
For more information, see https://fedorahosted.org/sssd/ticket/652 and
https://bugzilla.redhat.com/show_bug.cgi?id=618689
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110526/869cf374/attachment.sig>
More information about the Freeipa-devel
mailing list